Re: When are security updates effective?

To: debian-security@lists.debian.org
Subject: Re: When are security updates effective?
From: Mikko Rapeli <mikko.rapeli@iki.fi>
Date: Mon, 4 Sep 2006 09:15:45 +0300
Message-id: <[🔎] 20060904061544.GK13910@nalle>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20060902083704.GA6861@afrika.vzsze.de>
References: <20060829110653.GR13910@nalle> <slrnef9acl.4f4.jmm@inutil.org> <20060831062919.GD13910@nalle> <20060831075526.GF4321@afrika.vzsze.de> <ed6sb3$t32$2@sea.gmane.org> <20060831222327.GA20606@khazad-dum.debian.net> <[🔎] 20060901212816.GH13910@nalle> <[🔎] 20060901225614.GG24013@mathom.us> <[🔎] 20060902045232.GI13910@nalle> <[🔎] 20060902083704.GA6861@afrika.vzsze.de>

On Sat, Sep 02, 2006 at 10:37:04AM +0200, Rolf Kutz wrote:
> * Quoting Mikko Rapeli (mikko.rapeli@iki.fi):
> > I think it is relevant: should the effectiveness actions in general 
> > be based on the host where the update was applied through lsof, package 
> > dependencies provided and digitally signed by Debian, some other information
> > provided and digitally signed by the Debian security team in an
> > advisory or something else?

Or package installation scripts provided by the package maintainer.

> The problem here is that when the software has
> been exploited already, installing the security
> update doesn't fix the problem anymore.

Exploited to what extend? Without stack protection, address space
randomization, selinux etc, it's very difficult to know wether a
processes address space has been violated. And non-privileged processes
don't have write access to binary files on the system without additional
local root holes.

My point is: lsof may not be trustworthy on per host basis when making
security updates effective. The time between security bug publication and
applying the updates varies too much. If a Linux distro can do better
than Windows and not require full reboot after every update, I'd like to
see a confirmation of the steps required to make the update effective
from a source I trust anyway.

-Mikko

Reply to:

Follow-Ups:
- Re: When are security updates effective?
  - From: paddy <paddy@panici.net>

References:
- Re: When are security updates effective?
  - From: Mikko Rapeli <mikko.rapeli@iki.fi>
- Re: When are security updates effective?
  - From: Michael Stone <mstone@debian.org>
- Re: When are security updates effective?
  - From: Mikko Rapeli <mikko.rapeli@iki.fi>
- Re: When are security updates effective?
  - From: Rolf Kutz <kutz@netcologne.de>

Prev by Date: Re: When are security updates effective?
Next by Date: Re: When are security updates effective?
Previous by thread: Re: When are security updates effective?
Next by thread: Re: When are security updates effective?
Index(es):
- Date
- Thread